Major cybersecurity firms are warning enterprise clients that the notorious Scattered Spider hacking group has shifted its focus to targeting airlines, following confirmed attacks on Hawaiian Airlines and WestJet that security experts say bear the group’s signature social engineering tactics.
“Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry,” Sam Rubin, senior vice president at Palo Alto Networks’ Unit 42, said in a LinkedIn alert. “Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.”
Google’s Mandiant threat intelligence unit also echoed the warning, with Chief Technology Officer Charles Carmakal confirming in his LinkedIn post that the firm is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.”
The vendor alerts come as multiple incident responders have attributed recent cyberattacks on Hawaiian Airlines and Canada’s WestJet to Scattered Spider, the same group behind devastating 2023 breaches of MGM Resorts and Caesars Entertainment that cost the companies millions of dollars.
The Scattered Spider group is also known as UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, and 0katpus.
The cybersecurity vendor warnings gained credibility Friday when the FBI issued its own alert confirming the threat. “The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector,” the bureau said, warning that attackers “rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.”
The FBI warned that “once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware.” The attacks come during peak summer travel season, raising concerns about potential operational disruptions.
The third major sector in two months
The aviation targeting represents Scattered Spider’s third major industry focus in just two months, following concentrated attacks on insurance and retail companies. Between May and June 2025, retailers including Marks & Spencer, Harrods, Cartier, Victoria’s Secret, and Adidas suffered breaches attributed to the group, along with insurance giants Aflac and Philadelphia Insurance Companies.
About 70% of Scattered Spider’s targets belong to the technology, finance, and retail trade sectors, with the group demonstrating a pattern of focusing intensively on single industries before pivoting to new sectors.
“Scattered Spider has a history of focusing on sectors for a few weeks at a time before expanding their targeting,” Mandiant’s Carmakal said.
Sophisticated help desk deception campaigns
The group has perfected calling corporate help desks and impersonating employees to trick support staff into resetting passwords and adding unauthorized devices to multi-factor authentication systems.
Cybercrime syndicates like Scattered Spider operate as compartmentalized organizations, with distinct teams specializing in different attack phases, said Sunil Varkey, advisor at Beagle Security. “One such team is the social engineering team — typically low-cost, non-technical, and composed of skilled communicators — tasked with manipulating users and help desk staff to bypass security controls.”
Help desks present particularly vulnerable targets because they often operate as separate, outsourced functions with high employee turnover and predefined scripts. “This is a function with high employee turnover, as it is typically low-paying,” Varkey said. “Consequently, the context based on tenure is very limited in acting beyond the standard script.”
The group’s 2023 attack on MGM Resorts exemplifies their devastating impact — hackers impersonated an MGM employee and convinced help desk staff to reset credentials, ultimately leading to a ransomware attack that caused $100 million in losses and a 36-hour operational shutdown.
Airlines present high-value targets
Aviation companies are particularly vulnerable because they “rely heavily on call centers for a lot of their support needs,” making them susceptible to groups that specialize in help desk social engineering.
“Airlines also hold vast amounts of sensitive data, including customer PII, flight schedules, and operational information,” said Brijesh Singh, cybersecurity expert and additional director general of police, Government of Maharashtra, India, explaining why the group is targeting the sector. “Airlines’ complex global networks and supply chains make them prime targets. Infiltrations can quickly escalate, leading to substantial ransoms or stolen data being sold on the dark web.”
Help desks in aviation and other large sectors are especially exposed because they typically operate as outsourced, non-IT functions removed from day-to-day business operations. “The assumption with MFA is that if the user passes the second factor, they are a legitimate user,” Varkey said. “In many cases, MFA may not be OTP-based but rather secret questions, such as ‘your favorite sport’ or ‘your mother’s maiden name,’ which are too easy to guess or obtain through social media.”
The FBI noted that the group targets “large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
Advanced persistence tactics
Recent incident reports reveal the group’s sophisticated approach to maintaining access. CISA reports that Scattered Spider actors “often search the victim’s Slack, Microsoft Teams, and Microsoft Exchange online” and “frequently join incident remediation and response calls and teleconferences” to understand how security teams are hunting them.
Mandiant is advising clients to “immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts” and implement additional verification before resetting passwords or adding MFA devices.
[ See also: How CISOs can defend against Scattered Spider ransomware attacks ]